top of page

A Comprehensive Overview of the CBC Directive on Internal Governance of EMIs & PIs

  • Elena Niki Karletidi
  • May 11
  • 4 min read

Updated: 6 days ago

Understanding the Internal Organisation & Governance Directive of 2025



Introduction


The Payment Institutions Internal Organisation & Governance Directive, issued in draft by the Central Bank of Cyprus (CBC), establishes comprehensive requirements for the development, application, and effective control of internal governance mechanisms for payment institutions. This Directive aims to ensure their effective and prudent management while aligning with international standards and practices.


Purpose and Application


Purpose


The primary purpose of the CBC Directive is to set forth requirements regarding the development and effective control of internal governance mechanisms that payment institutions must implement. These measures are designed to ensure that institutions operate in a manner that is both effective and prudent, safeguarding the interests of all stakeholders.


Application


The Directive applies to licensed payment institutions established in the Republic. Institutions providing specific services exclusively may be exempt from certain requirements, subject to CBC approval.


Proportionality and General Requirements


General Requirements


The Directive mandates strong governance with sound and effective management, including:

  • A clear organizational structure with transparent and consistent lines of responsibility.

  • Effective detection, management, monitoring, and reporting of risks, including non-compliance with regulatory frameworks.

  • Internal control mechanisms, including compliance with anti-money laundering and counter-terrorism financing regulations.

  • Procedures for monitoring and handling complaints and allegations.

  • Administrative and accounting procedures.


Proportionality


Institutions must consider the nature, scale, and complexity of their activities and internal organization when developing and implementing internal governance arrangements.


Management Body, Committees & Composition


Roles & Responsibilities of the Board


The Board of Directors (BoD) is responsible for the oversight, effective supervision, approval, and implementation of business strategies, key policies, risk strategies, and the governance framework. The BoD must ensure the establishment and effective implementation of a Conflicts of Interest Policy and regularly assess the effectiveness of governance arrangements.


Board Composition


The BoD's size and composition must reflect the institution's size, complexity, and activities. It must include at least two executive directors, one of whom is the CEO, and at least three non-executive, independent directors with the majority voting power. The chairman must be an independent non-executive director.



Board Meetings


The BoD must hold at least four regular or extraordinary meetings annually. Members can participate either physically or via videoconference, with physical attendance required at least once a year. Absences are limited to no more than two consecutive meetings or 25% of annual meetings.


Annual Suitability Assessment


The BoD, its committees, and its members must undergo an independent suitability assessment every three years, with the results reported to the CBC.


Establishment of Board Committees


The BoD must establish committees such as the Risk Management Committee and Audit Committee, primarily composed of non-executive directors. These committees are responsible for advising the BoD, monitoring risk management, and ensuring compliance.

 

Internal Governance Framework


 

The Three Lines of Defense Model


The Directive emphasizes the Three Lines of Defense Model, ensuring a robust internal control system through clearly defined roles and responsibilities at various organizational levels.

Corporate Values & Code of Conduct


Institutions must establish a Code of Conduct based on international standards, promoting risk awareness, honesty, integrity, and compliance. Monitoring and training programs must ensure staff adherence to the Code.



Customer Complaint Handling


Institutions must maintain effective and transparent procedures for handling customer complaints, in line with ESMA Guidelines, and disclose relevant information on their websites.


Internal Whistleblowing Policy & Procedure


An internal whistleblowing mechanism must be in place, ensuring protection and confidentiality for whistleblowers. Institutions must comply with the Protection of Persons Who Report Breaches of Union and National Law.


External Whistleblowing Mechanism


Institutions must provide reliable mechanisms for staff to report potential or actual regulatory violations to the CBC, particularly when internal procedures may not be effective or pose risks to the whistleblower.


Internal Controls System


Institutions must develop and maintain a comprehensive internal control system, including regular external evaluations, to prevent money laundering and terrorism financing. Internal control functions may be outsourced, subject to stringent oversight.

 

Risk Management Framework


Roles & Responsibilities


The Risk Management function must have adequate authority, resources, and expertise to manage all institutional risks effectively. The Head of Risk Management directly reports to the BoD and ensures continuous risk monitoring and communication.


New Products & Significant Changes


Institutions must have a documented policy for approving new products and significant changes, covering compliance reviews, risk assessments, and regulatory adherence.


Policy aspects:


  • Ensures that all approved products and changes are aligned with the institution's risk strategy or undergo necessary reviews.

  • Defines the scope for evaluating major changes, including new products, system modifications, risk management frameworks, and organizational restructuring.

  • Incorporates significant process modifications, such as new external outsourcing arrangements and updates to technological systems.

  • Establishes procedures for systematic pre-approval assessments and documented compliance reviews by the Compliance function.

  • Covers parameters to consider before entering new markets, launching new products/services, or implementing substantial modifications.

  • Provides clear definitions for key concepts such as "new product," "new market," and "significant changes."

  • Outlines critical issues to address prior to approval, including regulatory compliance, accounting, pricing models, risk profile impact, profitability, resource availability, and internal tools for risk monitoring.


Reporting to the Central Bank of Cyprus


Institutions must submit various reports to the CBC, including minutes of BoD meetings, internal audit reports, risk management reports, compliance reports, and outsourcing assessment reports, all within specified timeframes.



Timeline


The new CBC Directive on Internal Governance of EMIs & PIs has undergone the final round of consultation and it is estimated to be officially issued by the CBC within H1 2025 - ealry H2 2025.


Conclusion


Overall, the CBC Directive on Internal Governance of EMIs & PIs sets forth comprehensive requirements for payment institutions to ensure effective and prudent management. By adhering to these rules and guidelines, institutions will need to enhance their governance frameworks, manage risks effectively, and safeguard stakeholder interests.

 
 

The material reflected in our website, including Blog material, is for informational purposes only and does not constitute legal advice, consulting, or any other professional advice. Please seek independent professional guidance for your specific needs.

All rights reserved. No part of this work may be reproduced, stored in a retrieval system of any nature, or transmitted, in any form or by any means including photocopying and recording, without the prior written permission of the ENAH Services Ltd. The reproduction or transmission of all or part of the work, whether by photocopying or storing in any medium by electronic means or otherwise without the written permission of the owner is strictly prohibited and the commission of any unauthorised act in relation to the work will result in civil and/or criminal actions. 

bottom of page